Admin Center choosing the wrong certificate

The user is experiencing issues with Windows Admin Center (WAC) version 2410 when attempting to replace the default certificate with a certificate from a third-party Certificate Authority (CA). They installed a third-party certificate in the local machine store, matching the server's DNS FQDN. Despite specifying the correct thumbprint, WAC continues to bind to an internally issued WinRM certificate with the same common name but a later expiration date. The same problem persists when using the WAC GUI for certificate replacement. They confirmed the NETWORK SERVICE account has access to the private key. Attempts to manually rebind using `netsh` and restarting services didn't resolve the issue, and the web browser still shows the internal CA certificate. The "Set-WACCertificateAcl" cmdlet fails with an error indicating it cannot find the machine key path. The problem seems to be caused by multiple valid certificates with the same common name. The user suspects WAC is prioritizing the certificate with the latest expiration date. They have confirmed that the specified third-party cert is correctly configured. They want to use the third-party certificate for HTTPS and the internal CA certificate for WinRM. The core problem is the inability to force WAC to use the intended certificate effectively.